A Taxonomic Approach for Classifying and Identifying ... · handle attacks by organizing them into taxonomic categories. Because attacks can often be similar in modality but require

A Fuzzy Taxonomic Approach for Classifying and Identifying SystemAttacks and Automating Attack Response

GREGORY VERT RENE DOURSAT

Department of Computer ScienceUniversity of Nevada, Reno

Reno, NV 89557, USA

Abstract: - Initial identification of attacks on computer systems is crucial to defending against them. A detailedclassification system gives system administrators a tool for combating these attacks in the most effective fashion—by providing them with a specific path of action. There exists a tremendously wide range of attacks and defendingagainst these requires an almost encyclopedic knowledge of their attributes and signatures. By relying ontaxonomies that place entities in ever smaller and more precise groups, the user can rapidly identify commonfeatures and properties. However, different attacks can have similar attributes that can confuse classification.Therefore, we propose to use fuzzy logic both in the classification of attacks and an automated attack responsesystem based on the selection of action rules.

Key-Words: - Fuzzy Logic, Computer Security, Attacks, Taxonomy, Complex Systems 1 IntroductionWith the proliferation of viruses, worms, denial ofservice attacks and other vulnerabilities, networksecurity experts have been continuously updating andreevaluating the methodologies used by maliciousattackers. It has been estimated that about 10-20 newviruses appear daily [1]; due to this, securitycompromises are reported almost daily.

Several information resources are available thatwill notify users of new security holes on asubscription basis [2,3,4,5]. There are also severalsecurity databases that will let users browse thevulnerabilities for various software packages [6,7].

Companies such as Symantec, Security Focusand CERT keep large databases of known attacks[6,7,11]. Symantec has over 50,000 entries forknown internet security related threats [13]. With theproliferation of new viruses daily, these databaseswill soon become unwieldy.

2 Problem FormulationOne approach to the classification problem is todevelop a taxonomy of current attacks that classifiesthe various attack methodologies into distinctcategories. By categorizing attacks, we can begin tolook for patterns and common features of attacks.Standard responses to each attack classification canthen be developed. This has the potential to possibly

prevent new, unreported attacks from succeedingeven without the installation of a patch.

There has been research attempting to classifydifferent types of attacks, from Unix specificvulnerabilities [8,9] to network attack assessment[10]. This research has been important and useful,but their classification has focused on a specific classof attacks. We will propose the classification of abroad range of computing attacks into a commonhierarchy. This paper presents a novel new approachto attack detection and defense that can potentiallyhandle attacks by organizing them into taxonomiccategories. Because attacks can often be similar inmodality but require different responses, someattacks can be classified into different branches ofthe taxonomy. To solve this problem, we utilizefuzzy logic and fuzzy linguistic variable techniquesto select an attack response. A method of developingstandard responses to each attack classification isthen developed. This work has the potential to behighly beneficial to the security community.

3 Problem SolutionAttack databases, such as Security Focus’Vulnerability Database [6] and NIST’s ICAT [7], listinformation about reported attacks, but they do notprovide the means for dynamic classification ofunknown attacks. In contrast, our approach describes

4th WSEAS Int. Conf. on COMPUTATIONAL INTELLIGENCE, MAN-MACHINE SYSTEMS and CYBERNETICS Miami, Florida, USA, November 17-19, 2005 (pp29-34)

a methodology that can potentially be used toidentify known attacks and subsequently classifynewly developed ones in real-time with the use of ataxonomy.

A taxonomy is a scientific technique to describeand organize categories of entities by representingobjects in a hierarchy. Our approach makes use of aset of attack attributes which describe how an attackexecutes. The attack attributes are populated with anattack’s properties, which are then applied to anattack taxonomy for classification. Attacks withcommon or similar attributes will be located in thesame category of the taxonomic tree. By using thisclassification, a system could potentially be devisedto take an appropriate action based on theclassification of the attack within the taxonomies.This method can preclude a lengthy search through alarge database of attacks for a possible defense.

Through careful choice of attribute list members,our taxonomy can conceivably support all knowntypes of attacks. This attribute list may be altered inthe future as new attacks present themselves.

3.1 Attack AttributesWe have developed and continue to develop a list ofattributes to describe an attack and relate them in afashion that would support taxonomic trees. Wedevised a top-down naming scheme. The firstattribute is the root tree node and each subsequentattribute is a subnode. These attributes are period-delimited. For example, the Bandwidth attribute inthe network taxonomy is written as:

Network.Bandwidth

and the InPorts under TCP in the same networktaxonomy (Fig. 1) is written as:

Network.Protocol.TCP.InPorts

For attributes that have multiple values, weseparate the values by commas, and define rangesusing the “En dash” character (–). For example, aTCP port scan that targets ports 25 (SMTP), 80(HTTP), and 1024 through 6000 would be definedas:

Network.Protocol.TCP.InPorts = 25, 80, 1024–6000

Our taxonomy includes 22 separate attackattributes. For the sake of brevity this list is not

included in this paper. We will give a short overviewof the taxonomy and structure in the followingsections.

The attack attributes list a distinguishing set ofactions and states of different attacks. We looked atdifferent databases that compile information onexisting attacks [6,7] and found the following generalclassifications among them:

• Remote access through a network connection• Attacks that modify/create files on the file

system• Attacks executed using an exploit for a

particular operating system and daemon• Attacks that use kernel services for elevated

privileges

3.2 Node Actionable Response RulesIt is useful to have a series of responses that canpotentially thwart an attack. Complex systems theorymakes a general supposition that complex behaviorscan be created through the composition and action ofa series of smaller, simpler rules. For example antsobey simple rules, such as following a scent trail to afood source and dragging food back to the nest. Intotal, a number of ants peforming this task create thecomplex society we think of as an ant colony. In thissense, we have placed into the nodes of ourtaxonomy simple localized rules that react to anattack on just the node characteristics. For example arule in the Network taxonomy might be

Network.TCP.InPort = nNetwork.ActionRule = block n

These action rules are collected as processing dropsthrough layers of the taxonomies until it reaches aleaf node. There they form a complex set ofresponses to an attack which is actioned uponthrough the use of fuzzy logic

3.3 Attack TaxonomiesAs stated in section 3.1, the first type of taxonomydeveloped here is based on common attributes ofattacks that originated through a remote connectionacross a network.


Network

Encrytpion

Inport

TCPUDP

Protocol

OutportInportOutport

Fr

FmFm

Fig. 1: Network Attribute Taxonomy

Fig. 1 presents the network attribute taxonomy. Inour hierarchy, child nodes inherit all the attributesand descriptive properties of their parent nodes, aswell as having node specific attributes. The networkattributes specified in the tree help to define attacksbased on the protocol, bandwidth, and actioncharacteristics of the attack.

Of note in the network taxonomy is that attacksoriginating outside of a network may depend on thetarget computer to be running a vulnerable daemonor service. This is represented in the tree by the TCPor UDP port number. If an attack requires a serviceor daemon, the attribute will reflect the default portnumber(s) of that service.

In our research we also found an entire categoryof attacks on files and file systems as mentionedabove. The file system taxonomy (Fig. 2) wasdeveloped to structure and organize this data into ataxonomic model. The attributes in this tree definewhat files on the victim’s machine are created,changed, and deleted. It also allows for operatingsystem specific attributes, such as registry entries inthe Microsoft Windows environment.

File Registry

FileSystem

Create ReplaceEditDeleteCreate Replace Edit

Fm | Da Fm | Da

Fig. 2: File System Attribute Taxonomy

Another category of attacks are based on systemexploits. Fig. 3 presents the exploit attributetaxonomy which was referenced in section 3.1. Theexploit tree defines the vulnerability that an attackermay use on a victim’s machine. This taxonomymodels common programming errors, improperconfigurations, and user errors.

Replay

Form

SessionHijacking

SocialEnginee

ring

Exploits

Configuration

Stack

IPSpoofing

OperatingSystems

DefaultSetting

BufferOverflow

Fm | Da

Fig. 3: Exploit Attribute Taxonomy

Finally, attacks exist that use services and driversto gain elevated system privileges [14]. The kerneltaxonomy, mentioned above, is presented in Fig. 4and shows the types of attacks that are possible usingkernel privileges.

Service

Load Load

Driver

Kernel

Fr

SpSp

Fig. 4: Kernel Attribute Taxonomy

Newer attacks include the use of device drivers andkernel services that allow malicious users tocompletely bypass security and take complete controlof the victim’s computer.

Consolidating all of the above attacks into asingle taxonomy produces what might be referred toas a taxonomic graph. This taxonomy is shown inFig. 5, where each box represents the subtaxonomiespresented in Fig. 1 through Fig. 4.


Ka – Kernel attribute treeEa – Exploit attribute treeNa – Network attribute treeFa – File attribute tree

Fig. 5: Consolidated Taxonomic Graph

In Fig. 5 all leaf nodes are connected to the nextsubtaxonomic tree’s root except for the right subtreeconnection from Ea to Ka. In this case, only the“operating system” node of the Exploit subtree isconnected to the root of the Kernel subtree.

Input vector V is an n-dimensional feature vectorwhose attributes describe data about an attack as it isbeing observed. This vector contains the sameattributes as those used in the subtrees whenselecting and moving to the next child node. At thispoint in the development of our research it wasrealized that an attack can actually branch to two ormore child nodes in a subtree or two or moresubtrees in the consolidated taxonomic graph. Thereason is that attacks are typically multi-pronged intheir approaches. For instance, an attack may occurover the network primarily, however the instigator ofan attack my also be sitting at a computer on thesystem trying to crack a password and gain physicalaccess. For this reason, there may be multiple childnodes toward which an attack description caneventually bifurcate. However, attacks are typicallygoing to have a preferred modality, e.g., Attack Xprimarily likes to use the network. For this reason,fuzzy logic was used to extend the above trees usinglinguistic variables and concepts of fuzzy object-oriented model design.

Fuzzy linguistic variables model the vaguenessof human speech into a computable model. There are

several approaches to this type of modeling [17]. Oneof the first tasks is to determine a suitable descriptivedomain. Upon examination of our model we realizedthat the following domains would probably bestdescribe the properties of an attack:

Frequency (Fr) = { never[0], sometimes[.25],usually[.5], most of the time[.75], always[1] }

Damage (Da) = { none[0], unknown[.30],probable[.55], definite[.80],severe[1] }

Speed (Sp) = { none[0], below average[.25],average[.5], above average[.75],fast[1] }

Familiarity (Fm) = { known[0], similar[.5],unknown[1] }

This suggests a classification tuple of fuzzy linguisticvariables (FLV) where:

FLV[] = (Fr, Da, Sp, Fm)

The linguistic variables are shown where they arelocated in the taxonomy trees (Fig. 1 to Fig. 4) usingtheir abbreviations mentioned above. Each of thefuzzy linguistic variables are in the range [0, 1]where 0 and 1 are crisp. Fuzzy values associated withthe variables are indicated above inside the brackets[]. In addition to the input vector V[] ofcharacterizing attributes, we utilize fuzzy linguisticvariables to characterize the attack. As input data inV[] is classified and processed down through thetree, branch points of the taxonomy tree have thevalues for the linguistic variables assignedautomatically as additional fuzzy characterizations ofthe attack. Selection of the correct fuzzy linguisticvariables can be done by the system. This canproduce a human readable version of what thesystem thinks is happening. For example collectionof data from computers currently being attacked mayindicate that 75% of the time, a TCP port is selectedfor an attempted entry into the system. Consideringthat this is a frequency variable (Fr), the fuzzy valuesassigned to the tcp attribue in V[] might look like thefollowing in the Na taxonomy tree:

Network.tcp = most of the time (fuzzy Fr = .75)Network.udp = sometimes (fuzzy Fr = .25)

Media

(operating system)

ROOT

Cracking

Method

Physical Na

Ea

Fa

Fa

V[]

Ka Ea


Network.TCP.InPort = nNetwork.TCP.OutPort = nullNetwork.ActionRule = block n

Notice that node action rules are also found at eachnode in the the subtrees and tailored to a localizedresponse to attack. However, they are not actioneduntil processing enters a leaf node, where they form acomplex rule base tailored to the elements of theattack. This borrows from complex systems theorythat supports the idea that a composite collection ofsmall simple rules can from complex behaviors.

Once at the leaf nodes, where the set of allaccumulated response rules are actioned, the valuesof the fuzzy classifiers are joined together throughthe following operation:

[ ]

[ ]∑∑

∑∑= FLV

iiiii

n

i

FLV

iiiiiii

n

i

FLV

wFLVFAct (1)

where:

|FLV| - cardinality of the FLV vectorn - number of leaf nodes with FAct values

Fuzzy actionability (FAct) values can exist inseveral leaf nodes ranging from large to small values.This borrows from the fact that an attack’sclassification mentioned earlier may go downmultiple branches of a taxonomic tree based on howthe FLV[] set is applied to attributes at each node.The concept is the same as the one found in fuzzyobject-oriented diagrams and fuzzy subsets. Fig. 6illustrates this point. In this case an attack can crisplybelong to an Ea leaf node, or an Ka leaf node.However, with the application of the FLV variables,it is possible that an attack belongs to one or moreleaf nodes.

Fig. 6: Partial membership of an attack in multipleleaf nodes

Fuzzy membership implies that an attack is a subsetof a node by the following

( ) ( )xuxuUxBA BA ≤∈∀⇔⊆ , (2)where:

U – all possible attacksx – any attribute in A’s attack vector V[]A – set of attributes of vector V[] for an attack XB – set of attributes of vector V[] for leaf nodes B

The application of the response rules examines theFAct values and applies them in the followingalgorithm:

While (attack in progress) build V[] process taxonomic graph node to action (NTA) = max[all leaf nodes] set NTA.FAct = null execute actionable rule setEnd While

Fig. 7: Algorithm to apply fuzzy linguistic variables

As an example of this algorithm, areconnaissance attack to gather information mightperform port scans on TCP or UDP ports. A potentialresponse to this attack via FAct and action rulescould be to deny access to the originator of the portscan. The system can optionally insert a firewall rulethat blocks all future traffic from the attacker. Forpreventive measures, the firewall can be configuredto deny all traffic and only allow packets from pre-determined static IP addresses [15]. There are alsoknown methods that can be used to thwart OSfingerprinting techniques [16].

5 ConclusionThe wide range of attacks available makes detectionand defense a difficult prospect. Identifying an attackis the first step in combating it. By categorizingattacks into an initial taxonomy, we are developing aquick method of identification. The application offuzzy logic to selection of actionable rules creates asystem that reasons dynamically about attackresponses.

Ka Leaf node Ea Leaf node

.8

Attack X

.2


This initial work is being further refined anddeveloped. We have built a small prototype that usesfuzzy logic to check classification of attacks againstthe taxonomy. Known attacks are being used toverify our approach. This allows further refinementof search and classification techniques. Once knownattacks have been classified and our methodsvalidated, we are moving to classify undocumentedattacks as they are presented. With a working systemthat can be queried quickly, our eventual goal of areal-time identification and classification of attackmay be realized.

References:[1] Ducklin, Paul. The ABC of Computer Security.

Retrieved April 12, 2003, from http://www.sophos.com/virusinfo/whitepapers/abc.html

[2] Symantec Corporation. Security Response.Retrieved March 15, 2003, from http://securityresponse.symantec.com/

[3] SecurityFocus. What is BugTraq? RetrievedMarch 15, 2003, from http://www.securityfocus.com/popups/forums/bugtraq/intro.shtml

[4] NTBugTraq. NTBugTrack Home. RetrievedMarch 16, 2003, from http://ntbugtraq.ntadvice.com/

[5] SANS Institute. Computer Security Educationand Information Security Training. RetrievedMarch 20, 2003, from http://www.sans.org/

[6] SecurityFocus. Vulns Archive. Retrieved March12, 2003, from http://www.securityfocus.com/bid

[7] National Institute of Standards and Technology.ICAT Metabase. Retrieved March 13, 2003,from http://icat.nist.gov/icat.cfm

[8] Taimur Aslam. A Taxonomy of Security Faultsin the Unix Operating System. Master’s Thesis,Purdue University, Department of ComputerSciences, August 1995

[9] M. Bishop. A taxonomy of unix system andnetwork vulnerabilities. Technical Report CSE-9510, Department of Computer Science,University of California at Davis, May 1995.

[10] Shostack, Adam and Scott Blake. Towards aTaxonomy of Network Security AssessmentTechniques, July 1999. Retrieved March 29,2003, from htttp://razor.bindview.com/publish/papers/taxonomy.html

[11] CERT. CERT® Advisory CA-2003-07 RemoteBuffer Overflow in Sendmail. Retrieved April2, 2003, from http://www.cert.org/advisories/CA-2003-07.html

[12] Symantec Corporation. Backdoor.FTP_Ana.D.Retrieved April 13, 2003, from http://securityresponse.symantec.com/avcenter/venc/data/backdoor.ftp_ana.d.html

[13] Symantec Corporation. Security Response.Retrieved April 21, 2003, from http://securityresponse.symantec.com/avcenter/search.html

[14] SANS Institute, Knark: Linux Kernel Sub-version. Retrieved April 24, 2003, fromhttp://www.sans.org/resources/idfaq/knark.php

[15] Cole, Eric. Hackers Beware. New Riders Press,Indianapolis, IN, 2002.

[16] Berrueta, David Barruso. A Practical Approachfor Defeating NMAP OS-Fingerprinting.Retrieved April 24, 2003, from http://voodoo.somoslopeor.com/papers/nmap.html

[17] Yen, John, Langari, Reza. Fuzzy Logic,Intelligence, Control and Information, PrenticeHall, 1999.


A Taxonomic Approach for Classifying and Identifying ... · handle attacks by organizing them into taxonomic categories. Because attacks can often be similar in modality but require

Documents